| Deutsch English Français Italiano |
|
<usp7vj$7dna$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Martin Brown <'''newspam'''@nonad.co.uk> Newsgroups: sci.electronics.design Subject: Re: Chinese downloads overloading my website Date: Tue, 12 Mar 2024 09:41:00 +0000 Organization: A noiseless patient Spider Lines: 63 Message-ID: <usp7vj$7dna$1@dont-email.me> References: <7qujui58fjds1isls4ohpcnp5d7dt20ggk@4ax.com> <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com> <usec35$130bu$1@solani.org> <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com> <usjiog$15kaq$1@solani.org> <t7rrui5ohh07vlvn5vnl277eec6bmvo4p9@4ax.com> <usm6v6$17e2c$1@solani.org> <usm96m$3fkqg$1@dont-email.me> <usmkb9$17l2r$1@solani.org> <du5uuih5e5d4ugd7ru8oo0gb6ppenjrtdd@4ax.com> <usn5j7$3lod7$1@dont-email.me> <kmduuilbvdjssqjda1i21d9b08vrk4t86j@4ax.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Date: Tue, 12 Mar 2024 09:41:07 -0000 (UTC) Injection-Info: dont-email.me; posting-host="addf6acf1814213cb2e2eb642bb3e40c"; logging-data="243434"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19D3JS56r6SCIBf/a0P7yIUgSClSLcO/U6mtLd/jAOZow==" User-Agent: Mozilla Thunderbird Cancel-Lock: sha1:A3vKrJK2GN/fMPzDy1JZmL6W+6s= Content-Language: en-GB In-Reply-To: <kmduuilbvdjssqjda1i21d9b08vrk4t86j@4ax.com> Bytes: 3881 On 11/03/2024 16:57, legg wrote: > On Mon, 11 Mar 2024 07:48:04 -0700, Don Y > <blockedofcourse@foo.invalid> wrote: > >> On 3/11/2024 7:40 AM, legg wrote: >>> Blocking a single IP hasn't worked for my ISP. >> >> It won't. Even novice users can move to a different IP using reeadily >> available mechanisms. >> >> Whitelisting can work (which is the approach that I use) but >> it assumes you know who you *want* to access your site. >> >> (It's a lot harder to guess a permitted IP than it is to avoid >> an obviously BLOCKED one!) >> >>> Each identical 17G download block (262 visits)was by a new IP >>> in a completely different location/region. >>> >>> Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced >>> due to suspension of my site. >> >> There's a reason things like "captcha" exist. >> >> Note that this still doesn't prevent the *page(s)* from being repeatedly >> accessed. But, presumably, their size is considerably smaller than >> that of the payloads you want to protect. >> >> OTOH, if someone wants to shut down your account due to an exceeded >> quota, they can keep reloading those pages until they've eaten up your >> traffic quota. And, "they" can be an automated process! >> >> [Operating a server in stealth mode can avoid this. But, then >> you're not "open to the public"! :> ] > > Doing some simple experiments by temporarily renaming/replacing > some of the larger files being tageted, just to see how the bot > reacts to the new environment. If they find renamed files it > means something. If visits to get the same 17G alter it means > something else. > > This all at the expense and patience of my ISP. Thumbs up there. Why don't you block entire blocks of Chinese IP addresses that contain the ones that have attacked you until the problem ceases? eg. add a few banned IP destinations to your .htaccess file https://htaccessbook.com/block-ip-address/ 1.80.*.* thru 1.95.*.* 101.16.*.* thru 101.16.*.* 101.144.*.* thru 101.159.*.* If you block just a few big chunks it should make some difference. You might have to inflict a bit of collateral damage in the 101.* range. Otherwise you are stuck with adding some Captcha type thing to prevent malicious bots hammering your site. I'm a bit surprised that your ISP doesn't offer or have site wide countermeasures for such DOS attacks. -- Martin Brown